Overview

overview

10

Static

static

10

0d6c3de5ae...bfc2ef

ubuntu-18.04-amd64

1

17205c4318...90.exe

windows7-x64

9

17205c4318...90.exe

windows10-2004-x64

9

1cad451ced...7b.exe

windows7-x64

3

1cad451ced...7b.exe

windows10-2004-x64

3

44369783a8...a86.js

windows7-x64

3

44369783a8...a86.js

windows10-2004-x64

3

7c7acd87b4...78f.js

windows7-x64

3

7c7acd87b4...78f.js

windows10-2004-x64

3

96339a7e87...b8e5be

ubuntu-18.04-amd64

1

97daa26c59...992.js

windows7-x64

3

97daa26c59...992.js

windows10-2004-x64

3

ae7c868713...6e.exe

windows7-x64

10

ae7c868713...6e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    02-10-2024 03:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe

  • Size

    543KB

  • MD5

    53fdeb923b1890d29b8f29da77995938

  • SHA1

    a996ccd0d58125bf299e89f4c03ff37afdab33fc

  • SHA256

    ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e

  • SHA512

    7c78e880f3d2dfc163625ff3d0b4676aa6a083dbbeac270520679f6b21d1c449c5af720ca7b9a68b5b3309e2de8d586cfed5d9b3a78d006e6d981a1aaf88c535

  • SSDEEP

    12288:M1DTMHixr1moQqUiXINDl/m1s6BQio67VlAU:AzmoQqUiXw2s6yiVxR

Score
10/10
blackbastadefense_evasiondiscoveryexecutionimpactransomware

Malware Config

Extracted

Path

C:\Program Files\readme.txt

Ransom Note
Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom You can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion:80/ Your company id for log in: ba7a7058-3531-4b67-bae6-d602e9110361
URLs

https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion:80/

Signatures

  • Black Basta

    A ransomware family targeting Windows and Linux ESXi first seen in February 2022.

    ransomwareblackbasta
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (6015) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops desktop.ini file(s) 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe
    "C:\Users\Admin\AppData\Local\Temp\ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:888
      • C:\Windows\system32\vssadmin.exe
        C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2884
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2132
      • C:\Windows\SysWOW64\vssadmin.exe
        C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
        3⤵
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:2656
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1604
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
      PID:3256

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\readme.txt
      Filesize

      401B

      MD5

      ab8018847c007394feabfa8f14626ebc

      SHA1

      d4669c9e29be5e1f32d7c30bf65ec8bd72566b2f

      SHA256

      2967e1d97d32605fc5ace49a10828800fbbefcc1e010f6004a9c88ef3ecdad88

      SHA512

      0f893ccd2add411ed93cade6519f9d2faf22831c60c279f355355406b72d92670a33b6b04362becb2344f3ff0b6ff979d9c078b24628c9de65cd421cf43402b9

      Download Submit